Hi and welcome to Spyware Warrior Forum.
My name is Cypher, and I will be helping you with your malware problems.
This may or may not, solve other issues you have with your machine.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.

If you don't know or understand something, please don't hesitate to ask.

Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.

Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"Remember, absence of symptoms does not mean the infection is all gone.

Please DO NOT run any other tools or scans whilst I am helping you.

Please DO NOT install any other software (or hardware) during the cleaning process.

Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

First please Disable any Antivirus you have active, as shown in This topic.

Note: Don't forget to re-enable it after the scan.

Next hold down Control then click on the following link to open a new window to ESET online scannner

Select the option YES, I accept the Terms of Use then click on Start.

Quote:

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

When prompted allow the Add-On/Active X to install.

Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.

Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications

Scan for potentially unsafe applications

Enable Anti-Stealth Technology

Now click on Start.

The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

When completed the Online Scan will begin automatically.

Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

Now click on Finish.

Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

Thank you for your help Cypher. My mother is a nearly 80 year old grey haired little old lady and she's driving me nuts with her computer issues.

I did not know Mom's computer had a proxy server, I'm sure she didn't set it and neither did I.

Her computer now has no internet access at all. When I go into the network and sharing center it says its connected to an unknown network.

I downloaded OTL and EST online scanner on my computer then used a thumb drive (which I locked to read only before connecting it to her computer) to get OTL and EST online scanner on her computer. The OTL ran successfully, but EST online scanner did not. Can I safely put the two OTL txt files, OTL.txt and Extra.txt on my thumb drive without infecting my own computer so I can post them back here? I don't want what ever bug-a-boo she's got on her computer, on mine.

Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.

Double click on ComboFix.exe & follow the prompts

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper_________________Admin/Teacher at Malware Removal University
Member of...

I was not able to disable either AVG 2012, or Windows 7 firewall. AVG 2012 wasn't even showing up in the system tray and when I tried to launch the program from Start/All Programs, nothing happened. ComboFix successfully ran. I'll post ComboFix.txt in just a moment....

Hi Rennix,
Good work so far, does your mothers computer still have no internet access?
Please run OTL as you did previously and post the resulting logs._________________Admin/Teacher at Malware Removal University
Member of...

[ System Events ]
Error - 7/26/2011 1:33:30 PM | Computer Name = Colleen-HP | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Couple of things before I post the OTL output. Mom's got a Seagate FreeAgent GoFlex 500GB USB external drive that backs up her user files. It's been disconnected for the last couple of days. I have to figure that the external drive is infected with what ever is on her computer as well. How do you want to handle that?

Internet Explorer still cannot connect to google.com. I'm still getting the "Oops! Internet Explorer could not find www.google.com" error.

Mom's got a Seagate FreeAgent GoFlex 500GB USB external drive that backs up her user files. It's been disconnected for the last couple of days. I have to figure that the external drive is infected with what ever is on her computer as well. How do you want to handle that?

We will take a look at that soon, lets see if we can resolve the IE issue first.
Please don't connect external drive until i ask you to.

Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)

When finished.

Click on File Handling button.

Click on Make Read Only? to secure it against infection.

Exit the programme.

Next.

I see you already have Malwarebytes Anti-Malware installed:

Launch the application, Check for Updates >> Perform Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Check all items except items in the C:\System Volume Information folder... and click Remove Selected.Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed, a log will open in Notepad. please copy and paste the log into your next reply.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Im afraid i have some bad news, your mothers computer is infected with a Rootkit. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

You are strongly advised to do the following:

Disconnect the computer from the Internet and from any networked computers until it is cleaned.

Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.

Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.

From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

DO NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its rootkit functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

We would like to try cleaning the machine first and if there is no luck there, then take the drastic course of action and format and reinstall everything. In theory at least, we have a back up on the external drive. Although the external drive is probably infected as well.

I have disconnected her computer from the internet and am ready for the next step.

Hi Rennix,
Sorry for the confusion.
You can use your mothers computer to reply to my posts.
I just need you to limit the computers use until we get it clean._________________Admin/Teacher at Malware Removal University
Member of...

I was able to connect to google for the first time in more than a week.

There has been some kind of error on reboot, some about Catalyst Control Centre not responding. AVG 2012 doesn't run at all, when I start the interface from Start/All Programs, nothing happens. I looked like Windows Firewall was running, but I don't know too much about that stuff.

Her computer is pretty fast and I don't use it much (unless there's some kind of a problem), so it's hard for me to judge it's performance.

I followed your instructions and only got a command prompt window to open for an instant. I then tried opening a command prompt on my own, switched to the windows directory and entered a slightly modified version of the script you sent, "junction -s c:\ >log.txt&log.txt&del log.txt". The output I got was "access denied."

Hi Rennix,
These things never seem to go as planned.
Please navigate to My Computer > Local DiskC: > Windows.
Delete the copy of Junction there, now download a fresh copy and save it directly to your C Drive.
So it should appear as C:\junction.exe.

Next.

Copy all text in the quote box (below)...to Notepad, Do not include the word Quote:

Quote:

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0

Save it to your desktop as File name: junc.bat.

Save as type: All Files.
junc.bat<<------------- you should see this on your desktop.

Right click on junc.bat and select " Run as administrator " to execute it.
A black CMD window will flash, then disappear...this is normal.

A file should appear on your Desktop. Please post the contents of this file._________________Admin/Teacher at Malware Removal University
Member of...

Don't ask me why, but every time I ran junc.bat, I got an access denied until the last time I tried it and it worked. Maybe I'm not awake enough yet.

Don't worry you're doing great so far
Ok, apart from the problem with AVG have you noticed any other problems with the computer?
I haven't forgotten about the external HD._________________Admin/Teacher at Malware Removal University
Member of...